WHEN IS THERE ENOUGH CONTROL? By: J.P. Russell

Transcription

1 WHEN IS THERE ENOUGH CONTROL? By: J.P. QualityWBT Center for Education/ Gulf Breeze, FL Abstract: When standards require control, both management and auditors need to know the elements that must exist for there to be control. It is management s job to establish and implement controls and the auditor s job to determine if there is conformance to requirements. In the absence of specific guidance in performance standards (required procedures, records, or schedules) it is essential that auditors and management know when controls are adequate. We will discuss the interpretations of control (noun., adjective, and verb) and assessment techniques. Key Words: audit, process, technique *** Many performance standards such as ISO 9001:2000 call for control of an activity, process, function, department, or system. The word control is used 24 times in the ISO 9001:2000 and approximately 45 additional times in the draft TS In fact, the word control is frequently used in most all standards. When auditors audit against standards that require control, it is imperative that they are able to determine if there is sufficient control. Managers need to be able to demonstrate to auditors that they have implemented sufficient controls. A. Control Word The word control can be used in titles such as Control of production or Control of measuring devices. The word control also is used to describe a document such as a Control Plan. The word control may be used in sentences as a noun, an adjective, or a verb. When control is used as a verb, there must be some type of action which achieves a goal or objective. For example: The organization shall control the distribution of customer intellectual property. When control is used as a noun, it implies all of the various means (management tools) which ensures that objectives are achieved. For example: Organizations must implement controls. Management must ensure the control of product labeling. Enoughtcontrol J.P. Page 1 of 5

2 When control is an adjective, it describes a noun such as control chart or Control Plan. This indicates that the plan regulates the process Each manufacturer shall establish and maintain procedures to control labeling activities. This statement comes from Part 820, Quality System Regulation, Subpart K. It is unclear whether the existence of procedures is sufficient to control the activity or that the procedures need to be evaluated to ensure that there is control. Management uses many tools to ensure that operations are controlled. Control means can include: procedures, checklists, schedules, reviews, policies, budgets, instructions, forecasts, proforma statements, reports, flow charts, statistical techniques, records, software, devices, internal auditing, and so on. With such a host of tools available, how does the manager decide which combination of tools is needed? What is enough? One Internet article (Internal Control Integrated Framework, Executive Summary, accessed 10/16/01 at stated Internal Control means different things to different people. This causes confusion among businesspeople, legislators, regulators and others. This may very well be an understatement. B. Control Concept For organizations like the Institute of Internal Auditors, internal control is a business concept. Businesses need internal control to achieve profitability and performance targets, and prevent loss of resources. Internal controls are needed to provide reasonable assurance that objectives will be achieved. All this makes sense, yet as an auditor I am not sure I am any closer to answering a few fundamental questions. What is control? How do I know it exists? How do I determine if there is sufficient control? We know control is important for certain activities. We know management implements controls and auditors test for the controls. Perhaps all of auditing is nothing more than verification of required controls. Some standards have prescriptive to-do requirements that must be included in the control of an activity. When the control is audited, auditors can check off that certain specified requirements are in-place. Incoming orders must be controlled. 1. There must be a procedure that ensures orders are controlled. 2. Orders must be recorded. 3. Orders must be reviewed prior to acceptance. Enoughtcontrol J.P. Page 2 of 5

3 4. Order changes must be communicated to all interested parties. If we check off the four requirements, does the organization pass? Is there control? When a standard has a prescribed list of requirements, auditors can check-off where the organization has addressed each requirement. The implication is that if the organization addressed each specified requirement (as with incoming orders), then the process is controlled. Adequate control is then linked to the prescribed list of requirements. We assume that the prescribed list provided by the standard writers is commiserate with the risk and anticipates all situations. C. Control Process What if the requirement is open-ended like many of the requirements in the new ISO 9001:2000 standard? What if there is no specified requirement list? What if the standard requirement is: Incoming orders must be controlled to ensure customer requirements are met. This is a very reasonable requirement. The problem is that the auditor has to determine if the requirement has been addressed. And what would be the basis for noncompliance? What evidence would withstand the scrutiny of the exit meeting and a subsequent review, if a nonconformity is appealed or questioned? When requirements are open-ended, must the auditor be willing to accept any rational scenario or can the organization be challenged? Does simply having a procedure or method ensure adequate control? Is there control if output objectives are being met (e.g., less than 5% returns due to wrong order)? Standards may be viewed as a list of processes that must be controlled. Some standards have more prescriptive requirements than others. It is impossible for standard writers to anticipate every situation; therefore, auditors must test to determine if management is controlling the process or activity as required. A technique to determine if management has control is the process technique. The Process Technique uses the Plan Do - Check Act cycle (PDCA). 1. Plan A plan, procedure or method is developed (establish what needs to be done) 2. Do The plan, procedure or method is being followed (do what was planned) 3. Check The plan, procedure or method is monitored and/or measured against a criteria (know when it is done right) Enoughtcontrol J.P. Page 3 of 5

4 4. Act Action is taken to resolve the differences between expected and planned results (e.g., analyze and adjust to process) For management to control a process or activity, a predetermined method must be established. Without it, there is no basis to monitor or improve. The predetermined method can be in any form and should reflect the process risk. People must follow the predetermined method for monitoring or measuring data to be useful. Next, management must determine the criteria or objectives for success or acceptance. If any output of the predetermined method is acceptable, the process does not need to be controlled. And lastly, management must act on the results of comparing outputs to objectives. If management does not act on the results, either the process does not need to be controlled or management is incompetent. At the very basic and building-block level, an organization must address the four process technique requirements (PDCA) for there to be adequate control. With those techniques in mind, we may want to use the following definition: Management Control: When predetermined plans are followed, monitored against an acceptance criteria, and adjusted as needed to achieve objectives. D. Control Levels Not all controls are the same. The extent or levels of control must be relative to their risk to the organization. Every organization faces a variety of risks to its survival. The higher the risk, the more formal the controls should be. Organizations should assess the consequences of failure and establish controls relative to those consequences. From the highest level, the board of directors and CEO may determine that there needs to be control of financial reporting, effectiveness of operations, and compliance to laws and regulations (Internal Control Integrated Framework, Executive Summary, accessed 10/16/01 at Management identifies processes that need to be controlled either from self-determination or that are required by law. For control to be adequate it must be at the appropriate level relative to the organization, size, complexity, risk, and competency of employees. Auditors have at least two approaches that can be used to ensure that controls are adequate: the Process Technique (PDCA) for Auditing mentioned above and the Requirement techniques referenced in the standard (Subclause 7.5.1, Control of Production and Service Provision of ISO 9001) which has a handy list of specific things to consider for controlling an operation or process from which a checklist can be made. Enoughtcontrol J.P. Page 4 of 5

5 Conclusion: Simply speaking, there needs to be a method, it should be followed and monitored, and there should be a means to adjust the process. That is control. Auditors must test controls whether there is a prescriptive list or not and auditors must report if controls are not adequate. Enoughtcontrol J.P. Page 5 of 5